Hello,

I have an Active Directory integrated zone cofigured for secure
updates.
I am evaluating risks of permitting our DHCP server (Windows 2003-based
one) to register A and PTR records on behalf of workstations (Windows
XP).

If I understand correctly this option will compromise the whole idea of
the Secure DNS updates.

As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why Microsoft
does not mention these risks of allowing DNS updates via DHCP servers.
With a little effort, I can hijack any workstation's name.

Any ideas on how to secure DNS updates via DHCP?

(E-Mail Removed) wrote:
> Hello,
>
> I have an Active Directory integrated zone cofigured for secure
> updates.
> I am evaluating risks of permitting our DHCP server (Windows
> 2003-based one) to register A and PTR records on behalf of
> workstations (Windows XP).
>
> If I understand correctly this option will compromise the whole idea
> of the Secure DNS updates.
>
> As the DHCP protocol is not secured at all, DHCP has absolutely no
> means to validate who is requesting a DNS name update. So why
> Microsoft does not mention these risks of allowing DNS updates via
> DHCP servers. With a little effort, I can hijack any workstation's
> name.
>
> Any ideas on how to secure DNS updates via DHCP?

Your DHCP server can only be as secure as your network, if they can get past
your firewall to get an address assigned by your DHCP server, the DHCP
service is the least of your problems.
If you will assign a dedicated user account with a non-expiring password on
the Advanced tab of the DHCP server properties sheet for DHCP to use to
authenticate with DNS, DHCP will be able to make secure updates.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Kevin D. Goodknecht Sr. [MVP] wrote:
> Your DHCP server can only be as secure as your network, if they can get past
> your firewall to get an address assigned by your DHCP server, the DHCP
> service is the least of your problems.

Yeah, but that is not a solution. I am looking for secure DNS updates
because I cannot fully trust my client workstations. The "real" secure
DNS updates are secured by Kerberos authentication. This Kerberos
authentication serves to prevent name hijacking.

I do not understand why Microsoft mislead customers saying that DNS
updates made by DHCP can be secured. They are not secure at all.


Here is an explanation from MS KB:

http://support.microsoft.com/kb/816592/en-us

<<
Caution The secure dynamic updates functionality can be compromised if
the following conditions are true:

· You run a DHCP server on a Windows Server 2003-based domain
controller

· The DHCP server is configured to perform registration of DNS
records on behalf of its clients.

To avoid this issue, deploy DHCP servers and domain controllers on
separate computers, or configure the DHCP server to use a dedicated
user account for dynamic updates. For more information, see the "Using
DNS servers with DHCP" topic in Windows Server 2003 Help.
>>

This is a misleading statement. The secure updates are compromised
every time you decide to allow DHCP updating DNS records.

implement IPSEC

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

Kevin D. Goodknecht Sr. [MVP] wrote:
> Your DHCP server can only be as secure as your network, if they can get
> past
> your firewall to get an address assigned by your DHCP server, the DHCP
> service is the least of your problems.

Yeah, but that is not a solution. I am looking for secure DNS updates
because I cannot fully trust my client workstations. The "real" secure
DNS updates are secured by Kerberos authentication. This Kerberos
authentication serves to prevent name hijacking.

I do not understand why Microsoft mislead customers saying that DNS
updates made by DHCP can be secured. They are not secure at all.


Here is an explanation from MS KB:

http://support.microsoft.com/kb/816592/en-us

<<
Caution The secure dynamic updates functionality can be compromised if
the following conditions are true:

· You run a DHCP server on a Windows Server 2003-based domain
controller

· The DHCP server is configured to perform registration of DNS
records on behalf of its clients.

To avoid this issue, deploy DHCP servers and domain controllers on
separate computers, or configure the DHCP server to use a dedicated
user account for dynamic updates. For more information, see the "Using
DNS servers with DHCP" topic in Windows Server 2003 Help.
>>

This is a misleading statement. The secure updates are compromised
every time you decide to allow DHCP updating DNS records.